[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Changed in: apparmor Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.3 --- sssd (2.2.3-3ubuntu0.3) focal; urgency=medium * d/apparmor-profile: Update profile. (LP: #1910611) - Extend read permissions to /etc/sssd/** and /etc/gss/**. - Add read/execute permission to /usr/libexec/sssd/*. -- Sergio Durigan Junior Mon, 18 Jan 2021 16:30:13 -0500 ** Changed in: sssd (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
This bug was fixed in the package sssd - 2.3.1-3ubuntu3 --- sssd (2.3.1-3ubuntu3) groovy; urgency=medium * d/apparmor-profile: Update profile. (LP: #1910611) - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*. - Add read/execute permission to /usr/libexec/sssd/*. -- Sergio Durigan Junior Mon, 18 Jan 2021 16:56:21 -0500 ** Changed in: sssd (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Performing the verification on Groovy: First, confirming that the current sssd manifests the bug: # apt policy sssd sssd: Installed: 2.3.1-3ubuntu2 Candidate: 2.3.1-3ubuntu2 Version table: *** 2.3.1-3ubuntu2 500 500 http://archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.3.1-3 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages # aa-enforce sssd Setting /usr/sbin/sssd to enforce mode. # systemctl restart sssd.service Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. # dmesg | grep DENIED [ 49.513861] audit: type=1400 audit(1611583630.788:14): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/sssd/conf.d/" pid=1876 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 49.514342] audit: type=1400 audit(1611583630.792:15): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/sssd/cfg_rules.ini" pid=1876 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... Now, confirming that the sssd on -proposed fixes the problem: # apt policy sssd sssd: Installed: 2.3.1-3ubuntu3 Candidate: 2.3.1-3ubuntu3 Version table: *** 2.3.1-3ubuntu3 500 500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.3.1-3ubuntu2 500 500 http://archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages 2.3.1-3 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages # systemctl restart sssd # echo $? 0 This verifies that the Groovy sssd package in -proposed fixes the bug. ** Tags removed: verification-needed verification-needed-groovy ** Tags added: verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Performing the verification on Focal: First, confirming that the current sssd manifests the bug: # apt policy sssd sssd: Installed: 2.2.3-3ubuntu0.2 Candidate: 2.2.3-3ubuntu0.2 Version table: *** 2.2.3-3ubuntu0.2 500 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.2.3-3ubuntu0.1 500 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 2.2.3-3 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages # aa-enforce sssd Setting /usr/sbin/sssd to enforce mode. # systemctl restart sssd.service Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. # dmesg | grep DENIED [ 41.098915] audit: type=1400 audit(1611583202.421:14): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/sssd/conf.d/" pid=1933 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 41.099185] audit: type=1400 audit(1611583202.421:15): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/sssd/cfg_rules.ini" pid=1933 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... Now, confirming that the sssd on -proposed fixes the problem: # apt policy sssd sssd: Installed: 2.2.3-3ubuntu0.3 Candidate: 2.2.3-3ubuntu0.3 Version table: *** 2.2.3-3ubuntu0.3 500 500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.2.3-3ubuntu0.2 500 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 2.2.3-3ubuntu0.1 500 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 2.2.3-3 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages # systemctl restart sssd # echo $? 0 This verifies that the Focal sssd package in -proposed fixes the bug. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Hello richard, or anyone else affected, Accepted sssd into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.3.1-3ubuntu3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-groovy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: sssd (Ubuntu Groovy) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-groovy ** Changed in: sssd (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
This bug was fixed in the package sssd - 2.4.0-1ubuntu3 --- sssd (2.4.0-1ubuntu3) hirsute; urgency=medium * d/apparmor-profile: Update profile. (LP: #1910611) - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*. - Add read/execute permission to /usr/libexec/sssd/*. -- Sergio Durigan Junior Mon, 18 Jan 2021 16:57:21 -0500 ** Changed in: sssd (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396542 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453 ** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396454 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Description changed: + [ Impact ] + + sssd users on Focal, Groovy and Hirsute can experience problems when + setting sssd's apparmor profile to "Enforce" mode. In this scenario, + apparmor will prevent sssd from being able to execute programs under the + /usr/libexec/sssd/* path, which will cause the sssd service to fail to + start. + + Aside from the deny mentioned above, the sssd apparmor profile also + needs to be updated to reflect the fact that sssd will also need to have + read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* + directories. + + [ Test Case ] + + Using an LXD VM, one can: + + $ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm + $ lxc shell sssd-bug1910611-focal + # apt update && apt install apparmor-utils sssd -y + ... + # cat > /etc/sssd/sssd.conf << __EOF__ + [sssd] + config_file_version = 2 + domains = example.com + + [domain/example.com] + id_provider = ldap + auth_provider = ldap + ldap_uri = ldap://ldap01.example.com + cache_credentials = True + ldap_search_base = dc=example,dc=com + __EOF__ + # chmod 0600 /etc/sssd/sssd.conf + # aa-enforce sssd + Setting /usr/sbin/sssd to enforce mode. + # systemctl restart sssd.service + Job for sssd.service failed because the control process exited with error code. + See "systemctl status sssd.service" and "journalctl -xe" for details. + # dmesg | grep DENIED + ... + [ 2011.510479] audit: type=1400 audit(1611007899.726:370): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3255 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + [ 2011.511822] audit: type=1400 audit(1611007899.726:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3256 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + + The instructions above can be replicated to test things on Groovy and + Hirsute. + + [ Regression Potential ] + + Very little regression potential, since we are expanding the apparmor + permissions of sssd, and not reducing them. + + * If the user already has apparmor enabled for sssd, she will most + likely have addressed these issues by herself, which means that this + change will just be a duplicate of what is already on the system. + + * If the user does not have apparmor enabled, then nothing will change. + + [ Original Description ] + sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04. apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance. The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)? Sample apparmor-notif output here: Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss Operation: open Name: /proc/33363/cmdline Denied: r Logfile: /var/log/audit/audit.log (1498 found, most recent from 'Wed Dec 30 20:35:19 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /etc/hosts Denied: r Logfile: /var/log/audit/audit.log (294 found, most recent from 'Thu Dec 31 02:55:41 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: mknod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: c Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: wrc Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: chmod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: w Logfile: /var/log/audit/audit.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Also affects: sssd (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Hirsute) Importance: Undecided Assignee: Sergio Durigan Junior (sergiodj) Status: New ** Changed in: sssd (Ubuntu Focal) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: sssd (Ubuntu Groovy) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Changed in: sssd (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Great, thanks Richard! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Applying the fix above to /etc/apparmor.d/local/usr.sbin.sssd and running the parser replace fixed the sssd startup issue. I confirmed by returning sssd to 'enforce' mode (aa-enforce /usr/sbin/sssd). The 'apparmor_status' output now shows the /usr/libexec/sssd binaries as well: apparmor module is loaded. 32 profiles are loaded. 32 profiles are in enforce mode. /snap/snapd/10707/usr/lib/snapd/snap-confine /snap/snapd/10707/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/chronyd /usr/sbin/rsyslogd /usr/sbin/sssd /usr/sbin/tcpdump /{,usr/}sbin/dhclient ippusbxd lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate 0 profiles are in complain mode. 8 processes have profiles defined. 8 processes are in enforce mode. /usr/sbin/chronyd (994) /usr/sbin/chronyd (998) /usr/sbin/rsyslogd (925) /usr/sbin/sssd (929) /usr/libexec/sssd/sssd_be (1279) /usr/sbin/sssd /usr/libexec/sssd/sssd_nss (1480) /usr/sbin/sssd /usr/libexec/sssd/sssd_pam (1481) /usr/sbin/sssd /usr/libexec/sssd/sssd_ssh (1484) /usr/sbin/sssd 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. Thanks for the help! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910611] Re: sssd startup fails when apparmor in enforcing mode
Hello Richard, it looks like the profile may not have kept up with changes in the packaging. The profile has probably been broken ever since: sssd (2.2.0-1) unstable; urgency=medium * New upstream release. * control: Bump policy to 4.4.0. * control, compat, rules: Bump debhelper to 12. * *.install: Updated, some files moved to /usr/libexec. -- Timo Aaltonen Wed, 10 Jul 2019 10:14:09 +0300 Please try adding this line: /usr/libexec/sssd/* rmix, to the file: /etc/apparmor.d/local/usr.sbin.sssd Then, try: sudo apparmor_parser --replace /etc/apparmor.d/usr.sbin.sssd sudo systemctl restart sssd Please report back how well this works. Thanks ** Also affects: sssd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910611 Title: sssd startup fails when apparmor in enforcing mode To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1910611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs